Hi Marc,
Thanks for having had spent some time looking into this, but after a
discussion with my network architect this morning, which I have not been
able to get a hold of until today, I think we may have found the source of
the issue and it most likely has nothing to do with Apiman. We are going to
try to confirm it today. Apparently the default HAProxy configuration for
the HTTPS protocol within kubernetes does not set the proxy headers like
they do for http traffic; not sure why this is.
Stephen
On Wed, Aug 23, 2017 at 4:59 AM, Marc Savy <marc.savy(a)redhat.com> wrote:
Hi Stephen,
Out of interest: can you replicate your setup, but with no policies in
the chain to see what happens?
Second, perhaps you can try the simple-header-policy
(
https://apiman.gitbooks.io/apiman-user-guide/user-guide/
gateway/policies.html#_simple_header_policy)
and let me know what happens (just put some dummy config in and see
whether the headers still disappear).
I'll try to replicate your setup soon.
Regards,
Marc
On 22 August 2017 at 17:13, Stephen Henrie <stephen(a)saasindustries.com>
wrote:
> FWIW, it is in the policy code where I am not seeing these headers being
set
> correctly:
>
>
https://github.com/apiman/apiman/blob/master/gateway/
engine/policies/src/main/java/io/apiman/gateway/engine/
policies/IPWhitelistPolicy.java#L55
>
>
>
> On Tue, Aug 22, 2017 at 11:01 AM, Stephen Henrie
> <stephen(a)saasindustries.com> wrote:
>>
>> Eric, thanks for the response.
>>
>> I had reviewed that code as well, so I believe you when you say that it
>> should be passing all of those proxy headers along. However, check out
below
>> what I am seeing when posting a request to a test service that I am
running.
>> It simply dumps the headers The first request is made directly to the
>> service without going through apiman and the second request is made
through
>> apiman.
>>
>> I don't think that the issue is in the servlet code, but when these
>> headers are passed into where policies applied, like somewhere where the
>> ApiRequest class is created.
>>
>> Thanks
>> Stephen
>>
>>
>> 2017-08-22 15:55:21.063 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : HEADERS:
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> (darwin15.6.0)
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : accept: */*
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : accept-encoding: identity
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : host:
>>
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct
ckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.
eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi
LCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJp
c3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt
cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx
ZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJl
ciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNz
aW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFl
YzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hh
c3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2Zvcmdl
LmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoi
LCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu
Y29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6
Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNv
bS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8v
YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9z
dDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJo
dHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0
dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi
aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj
Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h
bnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwi
cmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdl
LWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmls
ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2Vy
bmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVw
aGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVA
Y2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-host:
>>
spring-boot-oauth-demo-user-dev.router.dev1.saasforge.com
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-port: 80
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-proto: http
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : forwarded:
>> for=71.86.141.114;host=spring-boot-oauth-demo-user-dev.
router.dev1.saasforge.com;proto=http
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : x-forwarded-for:
71.86.141.114
>> 2017-08-22 15:55:21.065 DEBUG 1 --- [nio-8080-exec-7]
>> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.1
>>
>>
>>
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : HEADERS:
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : user-agent: Wget/1.19.1
>> (darwin15.6.0)
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : accept-encoding: identity
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : connection: Keep-Alive
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1bVJaV1ct
ckJrVnZGUTNyNlhCWkVCNGZwamxGV2FBcTBLWU1qZThEZnNjIn0.
eyJqdGkiOiI5ZWQ0YTQwOC05ZGM3LTRlMzMtOTkxNy1mNjdkYWU1YjJjM2Yi
LCJleHAiOjE1MDM0MTc1NDAsIm5iZiI6MCwiaWF0IjoxNTAzNDE3MjQwLCJp
c3MiOiJodHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9hdXRoL3JlYWxt
cy9jaGFzc2kiLCJhdWQiOiJjaGFzc2ktd2ViLWFwcCIsInN1YiI6ImI0ZGIx
ZmU5LTNmYzUtNDJjMy04NTg0LWQwZWJlMzRhM2U5MyIsInR5cCI6IkJlYXJl
ciIsImF6cCI6ImNoYXNzaS13ZWItYXBwIiwiYXV0aF90aW1lIjowLCJzZXNz
aW9uX3N0YXRlIjoiN2NmZjVhZDEtNjE3NC00YzY1LTk5NGQtYzk4ZTdkNWFl
YzNhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vY2hh
c3NpLWF1dGgtcHJveHktdXNlci1kZXYucm91dGVyLmRldjIuc2Fhc2Zvcmdl
LmNvbTo3ODg4IiwiaHR0cDovL2F1dGguZGV2MS5zYWFzZm9yZ2UuY29tLyoi
LCJodHRwOi8vYXV0aC11c2VyLWRldi5yb3V0ZXIuZGV2MS5zYWFzZm9yZ2Uu
Y29tIiwiaHR0cDovL2FwcC5kZXYxLnNhYXNmb3JnZS5jb20vKiIsImh0dHA6
Ly9kZXYxLWFwcHMuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNv
bS9kYXNoYm9hcmQiLCJodHRwOi8vbG9jYWxob3N0OjMwMDEiLCJodHRwOi8v
YXBwLmRldjEuc2Fhc2ZvcmdlLmNvbTo4MC8qIiwiaHR0cDovL2xvY2FsaG9z
dDozMDAwIiwiaHR0cHM6Ly9hcGkuZGV2MS5zYWFzZm9yZ2UuY29tLyoiLCJo
dHRwOi8vYXBwLmRldjEuc2Fhc2ZvcmdlLmNvbS9kYXNoYm9hcmQvKiIsImh0
dHA6Ly9hcHAuZGV2MS5zYWFzZm9yZ2UuY29tL2JvYi1zbW9rZS10ZXN0Iiwi
aHR0cHM6Ly9hdXRoLmRldjEuc2Fhc2ZvcmdlLmNvbS8qIl0sInJlYWxtX2Fj
Y2VzcyI6eyJyb2xlcyI6WyJiaWxsaW5nLWFkbWluaXN0cmF0b3IiLCJ0ZW5h
bnQtb3duZXIiLCJkZXZlbG9wZXIiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwi
cmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdl
LWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmls
ZSJdfX0sIm5hbWUiOiJTdGVwaGVuIEhlbnJpZSIsInByZWZlcnJlZF91c2Vy
bmFtZSI6InNoZW5yaWVAY2hhc3NpLmNvbSIsImdpdmVuX25hbWUiOiJTdGVw
aGVuIiwiZmFtaWx5X25hbWUiOiJIZW5yaWUiLCJlbWFpbCI6InNoZW5yaWVA
Y2hhc3NpLmNvbSJ9.AxhMpP3gMbh96BI7HNqLwZNjmUAiifzGhouoLpHwjggWDf6YX-
6geJb7yhkWTg4b7i5wYBC7OQpstgmfg01RIjQ_BJsJz8jxEwouvIufEDwWkmbtp9z0VP
egRYi8y405RQya18W2-m7lbi7LsBrK4cAJ-kgQ_-k5R_vxQFuAgmgZC-NYYtpvP0swrTNxHO-
DHJEolYb9wXjk_hFYEY9MBTqLeILvFEyjpkA_66WEWWE_
zA6RTw6ZU1uiwEDOCsDMHjejVDaZzXA78chQRAhlUcgQSG7ATZNKcU5hnDu2
bhQ79hugOdCa83Snl0RZUWXYoIB9vgapJosAP5rBUbTdJA
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : accept: */*
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : host:
>> spring-boot-oauth-demo.user-dev.svc:8080
>> 2017-08-22 15:55:38.561 DEBUG 1 --- [nio-8080-exec-9]
>> com.saas.controller.ApiRestController : RemoteAddr: 172.17.0.6
>>
>>
>> On Mon, Aug 21, 2017 at 9:50 AM, Eric Wittmann <
eric.wittmann(a)redhat.com>
>> wrote:
>>>
>>> GitHub is back up. Here is the code (when running the servlet version
of
>>> the gateway, not the vert.x version) that reads the inbound HTTP
request
>>> headers, copying them into the ApiRequest bean:
>>>
>>>
>>>
https://github.com/apiman/apiman/blob/master/gateway/
platforms/servlet/src/main/java/io/apiman/gateway/platforms/servlet/
GatewayServlet.java#L263-L280
>>>
>>> The only header that gets skipped is X-API-Version.
>>>
>>> -Eric
>>>
>>>
>>> On Mon, Aug 21, 2017 at 10:04 AM, Eric Wittmann
>>> <eric.wittmann(a)redhat.com> wrote:
>>>>
>>>> That's very interesting because I don't believe Apiman is
stripping
out
>>>> any headers from the request (at any point). If that's happening I
can't
>>>> think of what the root cause might be. IIRC we just copy all request
>>>> headers from the inbound HttpServletRequest into the ApiRequest bean.
>>>>
>>>> GitHub is currently down so I can't send a link to the relevant
code....
>>>>
>>>> On Fri, Aug 18, 2017 at 11:16 PM, Stephen Henrie
>>>> <stephen(a)saasindustries.com> wrote:
>>>>>
>>>>>
>>>>> I have Apiman running in an openshift environment, which is
essentially
>>>>> a similar configuration to running in kubernetes. Each
container/pod
is
>>>>> always receiving http/s requests through an HA Proxy server, so
that
the
>>>>> x-forwarded-* set of headers get added to each request by the proxy
server.
>>>>>
>>>>> Unfortunately, it appears that the headers which are provided in
the
>>>>> ApiRequet bean when the policy chain processor doApply() method is
called
>>>>> does not include these proxy related headers. This means that the
standard
>>>>> policies for the IP white and black listing policies do not work
when the
>>>>> apiman gateway is behind a proxy server. The
request.getRemoteAddr() method
>>>>> returns the ip address to the proxy server, so there is no way to
get the ip
>>>>> address of the originator since the x-forwarded-for header ( and
related
>>>>> headers ) are not found.
>>>>>
>>>>> Has anyone else experienced this? If so, is this by design?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Stephen
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/apiman-user
>